Share via

Why is the Windows Kernel not rejecting a WDAC policy signed by an untrusted Private CA?

Gagan Kumar 0 Reputation points
2026-02-24T17:35:47.1533333+00:00

Hi,

We are currently implementing signed Windows Defender Application Control (WDAC) policies using a custom PKI (OpenSSL) and PowerShell.

According to Microsoft Documentation(link provided below), a Private CA is unlikely to be trusted outside its network environment. However, in our testing, we have observed that when we sign a policy binary on one machine and deploy it to a separate machine—where the signing certificate has not been added to the 'Trusted Root Certification Authorities' store—the kernel is not rejecting the policy. Instead, it accepts and enforces it.

*Microsoft Documentation link: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store

We would like to understand the reason for this behaviour and what we are missing in our configuration

Can someone please help.

Regards,

Gagan

Microsoft Security | Microsoft Defender | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-24T17:36:00.5666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior you're observing, where the Windows Kernel accepts and enforces a WDAC policy signed by an untrusted Private CA, could be due to several factors related to how Windows handles code signing and policy enforcement.

    1. Local Trust: If the signing certificate is present in the local machine's certificate store (even if not in the Trusted Root Certification Authorities store), the system may still trust it for the purpose of enforcing WDAC policies. This means that the kernel might not strictly require the certificate to be in the Trusted Root store for it to validate the signature.
    2. Policy Configuration: The specific configuration of your WDAC policy might allow for more leniency in terms of certificate trust. If the policy is set to allow certain types of signatures or if it is configured to trust specific certificates, this could explain why the kernel accepts the policy.
    3. Testing Environment: In a testing environment, certain security features might be relaxed or configured differently compared to a production environment. This could lead to unexpected behavior regarding how policies are enforced.
    4. Certificate Chain: If the certificate chain leading back to a trusted root is valid, the kernel may still accept the policy even if the root CA is not explicitly trusted on that machine.

    To further troubleshoot this issue, you may want to check the following:

    • Ensure that the signing certificate is indeed not present in the Trusted Root Certification Authorities store.
    • Review the WDAC policy settings to see if there are any configurations that might allow for the acceptance of the policy.
    • Check the event logs for any messages related to code integrity and policy enforcement that might provide additional insights.

    Understanding the specific configuration and environment will help clarify why the kernel is not rejecting the policy as expected.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.